Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-01.txt

Michiko Short <> Thu, 30 April 2015 20:49 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4A1101A007F for <>; Thu, 30 Apr 2015 13:49:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TdSTaTNQqJS6 for <>; Thu, 30 Apr 2015 13:49:28 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8BCA21A0060 for <>; Thu, 30 Apr 2015 13:49:28 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Thu, 30 Apr 2015 20:49:27 +0000
Received: from ([]) by ([]) with mapi id 15.01.0160.009; Thu, 30 Apr 2015 20:49:27 +0000
From: Michiko Short <>
To: Benjamin Kaduk <kaduk@MIT.EDU>
Thread-Topic: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-01.txt
Thread-Index: AQHQXZiJ07vPZrskK0qMbSTckV74FZ0an2mggAAi1zCAAAm3AIAH5dPggD8GlGCAAwGSAIABk5AA
Date: Thu, 30 Apr 2015 20:49:26 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: MIT.EDU; dkim=none (message not signed) header.d=none;
x-originating-ip: [2001:4898:80e8:ed31::5]
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BL2PR03MB211;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BL2PR03MB211; BCL:0; PCL:0; RULEID:; SRVR:BL2PR03MB211;
x-forefront-prvs: 056297E276
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(377454003)(51704005)(13464003)(93886004)(106116001)(92566002)(19580395003)(19580405001)(122556002)(230783001)(76176999)(2900100001)(2950100001)(46102003)(50986999)(40100003)(76576001)(2171001)(86612001)(5001920100001)(87936001)(2656002)(99286002)(86362001)(54356999)(62966003)(77156002)(74316001)(102836002)(33656002)(5001960100002)(110136002)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2PR03MB211;; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Apr 2015 20:49:26.1317 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2PR03MB211
Archived-At: <>
Cc: "" <>, Sam Hartman <hartmans-ietf@MIT.EDU>
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-01.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 30 Apr 2015 20:49:30 -0000

Valid point.

So the RFC has the option where the client requests and the KDC provides on request. 

Two other options:
1. client sends an AS ping without explicit request
2. client sends PKInit AS-REQ which fails with KDC responding with the freshness token.

My understanding is that 1 is a non-starter for non-Microsoft implementations since accounts are typically configured to not require pre authentication which means that the KDC would return a TGT. 

2 would result in double the PKInit AS-REQs. I would prefer not to have throw away crypto operations and my expectation is that over time this would be how all the PKInit exchanges would work as realms protect against this attack. Additionally, although I am not aware of any implementations, this would be a hard blocker for anyone wanting to have user approval for using a certificate. Also, I am not sure if this would set off security software because it would increase AS-REQ failures which might be considered an attack. Anything looking for an increase in AS-REQ failures would need to be updated to look for a corresponding freshness token or filter out PKInit (unless it was trying to look for this attack). When we created the AS ping for AES we got a tons of inquiries due the increase in authentication failures with the deployment of Windows Vista.

-----Original Message-----
From: Benjamin Kaduk [mailto:kaduk@MIT.EDU] 
Sent: Wednesday, April 29, 2015 1:25 PM
To: Michiko Short
Cc: Greg Hudson; Sam Hartman;
Subject: RE: [kitten] I-D Action: draft-ietf-kitten-pkinit-freshness-01.txt

On Mon, 27 Apr 2015, Michiko Short wrote:

> Time for me to publish a new draft since this one is expiring.
> We found a use case in our implementation of PKInit where the client 
> must request a freshness token or else they will get a principal not 
> found error, so we need to keep the client behavior. I would prefer to 
> not make that MS-PKCA Microsoft extension. It there any problem with 
> keeping the client language as is? Also we would prefer to keep token 
> generation limited to the public key case. Yes, we are hoping to 
> expand the number of customers who use PKInit, but there will still be 
> customers for a while who do not, have old servers, etc.

I think I've lost track of which client behavior is in question -- is this just the part where the client sends an empty PA_AS_FRESHNESS padata to indicate support of freshness tokens and prompt the KDC to send one (in contrast to having the KDC always send a freshness token on all requests or all requests being offered PKINIT)?

It does not seem like a bad scheme to me in the abstract, but it seems that if we permit it, than all clients wishing to use freshness tokens must be prepared to implement it, in case they encounter a KDC which does not proactively provide freshness tokens.  That's probably fine, but we should consciously take that choice instead of just falling into it.